Ubuntu / Debian Linux: Setup An ISC DHCP Server For Your Network

by on November 28, 2012 · 10 comments· LAST UPDATED December 10, 2012

in , ,

How do I setup a DHCP server for my local area network (LAN) using Debian Linux 6 or Ubuntu Linux server running on my IBM hardware?

The Dynamic Host Configuration Protocol (DHCP) allows clients such as desktop, laptop, and mobile devices to request and obtain an IP address and many other parameters from a server.
Tutorial details
DifficultyIntermediate (rss)
Root privilegesYes
RequirementsDebian 6 or Ubuntu
ISC Dhcpd
Estimated completion timeN/A

ISC's DHCP server software

ISC's DHCP software is the most widely used open source DHCP implementation on the Internet. The same software can be used for LAN too. It is a carrier and enterprise grade solution to your host configuration needs.

Installing the DHCP server

Type the following apt-get command as root user to install the DHCP server:
# apt-get install isc-dhcp-server
Sample outputs:

Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  isc-dhcp-server-ldap
The following NEW packages will be installed:
  isc-dhcp-server
0 upgraded, 1 newly installed, 0 to remove and 11 not upgraded.
Need to get 0 B/411 kB of archives.
After this operation, 938 kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package isc-dhcp-server.
(Reading database ... 281728 files and directories currently installed.)
Unpacking isc-dhcp-server (from .../isc-dhcp-server_4.1.1-P1-15+squeeze8_amd64.deb) ...
Processing triggers for man-db ...
Setting up isc-dhcp-server (4.1.1-P1-15+squeeze8) ...
Generating /etc/default/isc-dhcp-server...
Starting ISC DHCP server: dhcpdcheck syslog for diagnostics. ... failed!
 failed!
invoke-rc.d: initscript isc-dhcp-server, action "start" failed.

Configure the DHCP server

The configuration file for dhcpd is called /etc/dhcp/dhcpd.conf. The file comes with a number of global configuration options. Type the following command to edit the file:
# vi /etc/dhcp/dhcpd.conf
You must prevent the DHCP server from receiving DNS information from clients, set the following global option (this is a security feature):

ddns-update-style none;

You need to set your domain name and name server:

## Set a domain name for your LAN ##
option domain-name "nixcraft.net.in";
 
## Set DNS server IP address, you can set to your ISP's dns server too or use Google DNS server##
option domain-name-servers 192.168.1.2, 192.168.1.3;
 

Increase the lease time. The time is set in seconds:

 
### Set the length in seconds that will be assigned to a lease if the client requesting the lease does not ask for a specific  expiration time.   ##
### This is used for both DHCPv4 and DHCPv6 leases (it is also known as the "valid lifetime" in DHCPv6). ###
default-lease-time 86400;
 
## Set the maximum length in seconds that will be assigned to a lease ##
max-lease-time 604800;
 

The authoritative directive should be uncommented:

authoritative;

The authoritative directive indicate that the DHCP server should send DHCPNAK messages to misconfigured clients. If this is not done, clients will be unable to get a correct IP address after changing subnets until their old lease has expired, which could take quite a long time. Finally, update the configuration file with your subnet as follows:

 
subnet 192.168.1.0 netmask 255.255.255.0 {
        ## dhcp start  and end IP range ##
        range 192.168.1.100 192.168.1.200;
        option subnet-mask 255.255.255.0;     ## subnet 
        option broadcast-address 192.168.1.255; ## broadcast
        option routers 192.168.1.254; ## router IP
}
 

Where,

  1. subnet 192.168.1.0 netmask 255.255.255.0 { - The subnet statement is used to provide dhcpd with enough information to tell whether or not an IP address is on that subnet. It may also be used to provide subnet-specific parameters and to specify what addresses may be dynamically allocated to clients booting on that subnet. Such addresses are specified using the range declaration. In this example 192.168.1.0 is the subnet-number and should be an IP address or domain name which resolves to the subnet number of the subnet being described. The netmask 255.255.255.0 should be an IP address or domain name which resolves to the subnet mask of the subnet being described. The subnet number, together with the netmask, are sufficient to determine whether any given IP address is on the specified subnet.
  2. range 192.168.0.100 192.168.0.200; - For any subnet on which addresses will be assigned dynamically, there must be at least one range statement. The range statement gives the lowest and highest IP addresses in a range. All IP addresses in the range should be in the subnet in which the range statement is declared. 192.168.1.100 is the starting IP address and 192.168.1.200 is the ending IP address in this pool.
  3. option subnet-mask 255.255.255.0; - Use this subnet-mask.
  4. option broadcast-address 192.168.1.255; - Use this broadcast address.
  5. option routers 192.168.1.254; - Use this gateway address i.e. the address of your router connected to the Internet.

Save and close the file. To check the syntax of dhcpd.conf file for errors, run:
# dhcpd -t
OR
# dhcpd -t /etc/dhcp/dhcpd.conf

How do I start / stop / restart the DHCP server?

Type the following commands:

 
service isc-dhcp-server start
service isc-dhcp-server stop
service isc-dhcp-server restart
service isc-dhcp-server status
 

Sample outputs:

Fig.01: Debian Linux: Start / Stop / Restart DHCPD Server Commands

Fig.01: Debian Linux: Start / Stop / Restart DHCPD Server Commands

How do I verify that DHCP server UDP port # 67 is opened by dhcpd?

Type any one of the following command
# netstat -tulpn | grep --color "dhcp"
OR
# ps aux | grep --color "[d]hcpd"
OR
# pgrep dhcpd
Sample outputs:

Fig.02: Verify That The DHCPD Server Is Running or Not

Fig.02: Verify That The DHCPD Server Is Running or Not

Troubleshooting the DHCP server problem

By default the dhcpd will log all output using the syslog function with the log facility set to LOG_DAEMON i.e. /var/log/syslog file:
# tail -f /var/log/syslog
# grep dhcpd /var/log/syslog

You can dump DHCP packets under Linux / UNIX for monitoring or debugging purpose using dhcpdump command as follows:
# dhcpdump -i eth0
OR use old good the tcpdump program:
# tcpdump -lenx -i eth0 -s 1500 port bootps or port bootpc
cd to /var/lib/dhcp directory to see more information about leases that the dhcp server has assigned to clients:
# cd /var/lib/dhcp/
# ls -l
# vi dhcpd.leases
# cat dhcpd.leases
# grep 'something' dhcpd.leases

Securing the DHCP server

Disable the dynamic DNS:

ddns-update-style none;

Set Deny decline messages to avoid DoS attack againest your dhcp server. The client device can send DHCPDECLINE message many times that can exhaust the DHCP server’s pool of IP addresses, causing the DHCP server to forget old address allocations:

deny declines;

Disable support older BOOTP clients:

deny bootp;

You must set valid and correct values for all the following operational directives. If you are not using NIS domain or ntp server, make sure the following options are not defined.

## see dhcpd.conf man page for more info on the directives ##
option domain-name
option domain-name-servers
option nis-domain
option nis-servers
option ntp-servers
option routers
option time-offset

In most cases you only need domain-name, domain-name-servers, and routers directives and rest should be removed to minimize information served by the dhcp server.

How do I configure iptables to allow access to the DHCP server?

Edit your iptables scripts and add the following lines

 
## Make sure you use an appropriate network block,  ##
## and network mask, representing the machines on your ## 
## network which should operate as clients of the dhcp serve. ##
## Syntax: ##
## /sbin/iptables -A INPUT -s net/mask -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT ##
## Adjust rules as per your setup ##
 
/sbin/iptables -A INPUT -s 192.168.1.0/24 -i eth0 -p tcp --sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT
 

A slightly different configuration for an internal subnet

The following is a special subnet that allows to pxe network booting using tftpd server at 192.168.0.5 (please note that you need to install and configure tftpd server separately):

 
subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.20 192.168.0.50;
  ## openbsd pxe boot file ##
  filename "openbsd/pxeboot";
 
  ## Debian 6 pxe boot file ##
  ## filename "debian6/pxelinux.0";
 
  ## Freebsd pxe boot file ##
  ## filename "freebsd/pxeboot";
 
  ## our boot server ##
  next-server 192.168.0.5; 
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.0.255;
  option routers 192.168.0.5;
}
 

How do I add BOOTP support?

Each BOOTP client must be explicitly declared in the dhcpd.conf file.

 
## bootp my headless home router ##
host router {
     hardware ethernet 08:00:2b:4c:59:23;
     fixed-address 192.168.0.21;
     filename "debian6/pxelinux.0";
}
 
Recommend readings:
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!
This entry is 1 of 3 in the Debian / Ubuntu Linux DHCP+TFTPD Netboot Server Tutorial series. Keep reading the rest of the series:
  1. Setup An ISC DHCP Server For Your Network
  2. Setup A TFTPD-HPA Trivial File Transfer Protocol Server
  3. Example: Install OpenBSD Using PXE

{ 10 comments… read them below or add one }

1 Logicos November 28, 2012 at 10:11 pm

1) “netfilter” can’t stop DHCP requests.
2) “dig” is the best tools for DNS debugging

A+

Reply

2 Jalal Hajigholamali November 29, 2012 at 3:55 am

Hi,

Thanks for very nice article

Reply

3 tim December 1, 2012 at 3:12 pm

nice write up. question, so this is possible even if you already have an existing DHCP server? I want to use this along with TFTP for a PXE test setup.

Reply

4 nixCraft December 1, 2012 at 8:20 pm

Yes, you can use this with existing dhcp provided that you can modify the configuration.

Reply

5 dave January 29, 2013 at 11:05 am

Hi,
thanks for a very nice article as usual :)
I have a question: is there a simple dhcpd.leases file parser for cli? At least to get stats about used and free leases..
I was using dhcpstatus but apache2 started crashing.. dhcpstatus is old now and is web based, which I don’t need.. cli would be fine :)
thx

Reply

6 beastie January 30, 2013 at 2:17 pm

Your iptables rules look incomplete.
It would be good to mention the /usually/ UDP is used, and this is why you don’t see the TCP part very often. /etc/services says 67/tcp is bootps so I guess it is.

The first DHCP messages use the addresses 0.0.0.0 and 255.255.255.255.
Your rules only cover DHCP renewal.

In addition, I think iptables does not keep state by default, so you need another rule for replies. (I think your rules accepts DHCP reqs, but replies may be blocked depending on your other iptables rules).

Reply

7 bekota April 22, 2013 at 2:17 pm

merci pour le tuto si on veut utiliser le dhcp et le tftp dans un mm serveur comment on fait les configuration

Reply

8 Mohammad June 5, 2013 at 10:40 am

thanks ?

Reply

9 vipzrx June 20, 2013 at 8:51 am

range 192.168.0.100 192.168.0.200; – For any subnet on which addresses will be assigned dynamically, there must be at least one range statement. The range statement gives the lowest and highest IP addresses in a range. All IP addresses in the range should be in the subnet in which the range statement is declared. 192.168.1.100 is the starting IP address and 192.168.1.200 is the ending IP address in this pool.

range 192.168.0.100 192.168.0.200;——》 range 192.168.1.100 192.168.1.200

Reply

10 kristijan June 21, 2013 at 12:46 pm

Tnx, very helpful article !

Reply

Leave a Comment

Tagged as: , , , , ,

Previous Faq:

Next Faq: